I'm trying to quantify the exact risk I'm subjecting my PC to if leaving it with Windows XP as opposed to upgrading it to e.g. Windows 7, an upgrade that would be very time-costly in my case. I don't really go on "dodgy" websites and have a firewall & AV. Is there a risk that a new exploit/vulnerability that is uncovered for XP (and not patched due to this OS's support having ceased) will affect my computer in an "unprovoked" manner, just because it is connected to the Internet, and without me accessing a compromised web resource? For instance, will my PC will more vulnerable (with XP as opposed to Win 7) to attacks from the Internet that single out vulnerable OSs, such as ping-based attacks, DDoS etc?

2 Answers
2

Using an unsupported OS will leave you at risk. Note, that with the latest IE zero-day vulnerability released in the wild, XP was still given an out-of-band patch as about 25% of desktop users still use XP (in May 2014 - judged by internet traffic user agent strings). However, you should not expect Microsoft to continue to patch XP in the future.

You really should upgrade to Win 7 (or Win8) or switch to Linux. Linux will still need to be periodically upgraded, but it is often easier to gracefully upgrade, as the upgrade is free, you don't have to deal with license issues, and it is often easier to automate the process.

As for what attacks you'll be vulnerable to will completely depend on the future attack. DDoS isn't a particularly worry - in that servers (or your home router) typically worry about that attack (and in that modern OSes don't have much protection against DDoS attacks). Something like a ping-based attack could happen if someone finds flaws in their networking stack. And again browsing the web very much puts you at risk, especially with tools like Flash, JavaScript, Java, etc enabled. Even if you don't search out sketchy sites (e.g., looking for pirated software/media), its very easy to accidentally go to the wrong site (be tricked into clicking a random link). Or an exploit on some live trustworthy website causes your browser to forward to an untrusted page.

You can not quantify the exact risk of still runing a XP system. Maybe someone finds a new exploit tomorrow - or not. A firewall an AV are good, but their manufacter's support for XP will run out too.

It is a common misbelief, that only "dodgy websites" pose a risk. So called "watering hole attacks" are on the rise: malicious hackers infect popular & trusted websites (see here for an example). A compromised ad-Server, for example, can deliver malware instead of advertisments...

Microsoft introduced some new security features in Windows 7 that did not get backported into XP.

DDos attacks do not single out vulnerable Operating Systems: they induce a system overload by, for example, sending thousands of requests per minute. DDOS is a typical server problem.

In summary, each day since end of support the risk running XP grows. The risk might increase disproportionately if someone finds an easy exploitable bug. Personally I would run XP only in a virtual machine, if at all.